Not so long ago I thought it would be usefull to learn a bit of assembly. Little did I know my ‘me-time’ was about to be consumed by looking at bytes and digging through assembly; let alone how much fun and fullfilment it brings. Today I want to share my first moments of discovering a new hobby.

This tutorial is for the absolute beginner, and should be seen as an 'hello world' equivelant. A teaser that provides a small taste into the Cheat Engine world. The game I'm using is called STRAFE, costs around 10 bucks and is actually pretty fun to play.

In this tutorial I will walk you through the complete process of making an infinite ammo cheat. In my experience the easiest so far.

Starting out with Cheat Engine is –super- easy. Find the instructions here: viewtopic.php?f=2&t=831
Buying the game you want to ‘crack’ is also, very, easy.

I’m going to do this in chunks, so bare with me.

With your game on the left and your Cheat Engine on the right, the first thing you want to do is stare at the screen and identify the value for ammo.

If you look, you will see the number 25 three times. So, the first thing we’ll do is look for this number in the memory. I do think this is a 4-byte value as it is fairly standard. But you can go through each of the types if the value doesn’t show.
Input the value 25 and press ‘First scan’. The first scan is always your base-line. From this point onwards, until you start a new scan, any search for values will be done in the list of addresses in the previous scan; trimming things you exclude.

We shoot once more, and look for 24 by changing the number and pressing the next scan button. Surprise surprise, 4 addresses remain. Earlier I pointed out that there was 3x25 in the image.
1) The label on the gun;
2) The label in the HUD;
3) The actual value from which these labels are derived.
(Unless you are a smartypants and think the bullet indicating 25-dots view is a number.....)

The next step is the add all 3 addresses to the address list by double-clicking. The addresses are now stored in the bottom of your Cheat Engine.

Now try and change the value one address at a time. You will notice that changing two of the values will not have any effect, and are set back to the value they were once a frame of the game has loaded in. That must be the labels. Changing the correct one will also change the other 2. That one is the one you want.

Well done. Freeze the value by checking the box in front of it and you have a temporary infinite ammo cheat.

If you’re reading this you are probably not satisfied that you have to do this every single time you want to Strafe through STRAFE at record pace. You want to make a script that does this for you, and sets the value accordingly.

We start doing this by right-clicking on the correct value and choosing “Find out what writes to this address”. Why write? The number is changing! You can’t change anything by reading, can you?

After firing a couple of rounds and reloading once you can see that 2 instructions have written to this address. Obviously we want the first one as we want to update the value when shooting, not when reloading. Select the top address and choose ‘Dissassemble this memory region’.

CE will now center and highlight the instruction that wrote to the address.
I won’t go into too much detail here, but on my first time through, no-one told me that [something] points to an actual adress. (in this case, the address where the ammo count resides). [rax+30] therefore means that something is stored in ‘Street, in the house with number 30’.
This can literally be translated into MOVE [HERE], SOMETHING (opcode destination,source)

Want to find out if my theory is correct? Let’s double click the line so we can edit it. We already know the value is a 4-byte value, so instead of eax, lets put in a raw value. 00 00 00 FF = 255

Well, now you definatly know this is the place to be. Shoot as much as you’d like, you will see it stays put at 255. (in address list and in game!)
Now, right-click and press “restore original code” (if it doesn’t work, restart ) and look at the top
for the tools menu -> Auto assemble -> Template -> AOB injection.

Say yes to the (ad)dress and CHANGE the name of INJECT. I called it ‘INF_AMMO’
The auto assembler will now be filled with a template. Believe me you are half-way.

For now all you need to know is that everything under [ENABLE] is injected into memory. At the location of the address where we edited the instruction previously. Cheat Engine makes a jump for us to a new location where we can do our own thing. You can see the original code under “code:”, right below INF_AMMO:
For now, lets change this

Now you have a script. Well played!
Why did we do this again? We didn’t want to look for the value but instead simply activate a script whenever we want. How does CE find the correct stuff? Well, the aobscan(..) function scans for an array of bytes. You probably figured out already that ‘aobscan(INF_AMMO,C7 40 30 FF 00 00 00)’ containts the exact same bytes as the highlighted row in the disassembler. I advise you read up on this thing, because it will be your best friend.

If you are anything like me; you are not fullfilled yet. You dislike having a railgun or shotgun with 25 ammo and really need to do something about it. Luckily this is often very easy. In my experience so far, the current and MAX ammo count are VERY close friends. So, lets change the current ammo count to the MAX ammo count!

There is literally a million ways to do find this out, but it really comes down to luck and ingenuity.
Lets get back to the disassembler. (Actually, my game crashed here because i forgot to restore the original code and activated the script; addressed are slightly off now)

We want to know where in memory RAX is located. We do this by setting a breakpoint in our new script or above it. In the image the cheat is activated so the proper instruction is now replaced by a jmp <address>. If you highlight it and press SPACE you will go to the new place in memory where our injection resides.
Set a breakpoint and hit fire. If the game halts, you know you did it right. To the right you will see the registers. In the code you see that the rax is getting the value that resides in rdi+40. And we know that rax is the thing we want. Remember from the script, that [rax+30] is where the ammo resides

Open the data structure dissector by pressing ctrl+D or using the tools menu. Put in the address that is now contained in RAX. Do not continue the program yet as the registers will change when you do so.
Now create a new structure with Structure -> define new structure. Press YES for all questions asked.
Navigate to offset 30 and voila, theres a 19! Our current ammo count. See that suspicious 25 underneath it? Told you, current and MAX are often best-friends.
So now we know that rax+34 contains the max amount of ammo for 1 magazine/clip/whatever.
Lets adjust the script accordingly

[b]Replace[/b]
mov [rax+30],(int)25 //set it to 25, because it looks nicer than 255
[b]With[/b]
push rbx //Save the value in RBX for restoring it later, use a random register here
mov rbx,[rax+34] //Move the Max ammo into our Register
mov [rax+30],rbx //Move the value in our register into out Current ammo count
pop rbx //Restore original value
(read up on stacks if you want to know what push and pop does)

Now, whatever gun you use, the current ammo will be set to the max ammo!

Congrats for the tutorial! One observation: in order to have normal-jump references to your code cave, try to allocate close to game's module. As in, use alloc(x, size, game.exe) rather than alloc(x, size).

Instead of this:

(see the FF 25 then following bytes?)

You will see a normal jump: E9 xx xx xx xx.

Cheers,
Sun

Thanks, first 'blog' piece I ever wrote!
Regarding the observation, the screenshot has the jump with the correct alloc(..,STRAFE.exe). I just re-tried it and it does the exact same thing. Mono related maybe?

Why is there a dollar-sign infront of the memory to allocate, and what would be the appropriate way to determine this value? At the moment I am just putting more in there than I would need. The -perfect- way would be to determine how much bytes the whole script puts in memory? (assuming 1 inject per script)
In non Mono-games it seems to paste the module name behind it, and it also uses aobscanmodule. I read somewhere it's about Mono not defining a module like normal?

Thank you for the detailed description, now I actually know what I'm doing. However, any attempts to include the ,STRAFE.exe in the alloc may cause the game to crash (and does for each of my scripts at the moment). I have been struggling with it for a while and others had already pointed this out to me.
I can also see that before it crashes the injected code is a long jmp even with the modulename attached. (FF25 00000...)
Why it didn't crash while making the tutorial I can't explain, as it does crash now.
aobscanmodule doesn't work either.

Either the game doesn't want to do what you/we want to do, or I a'm doing something wrong. I suspect its the former. I'm gonna check with a non Mono game and see what happens in both scenario's.